Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes with an item from The Next Web: "Security researchers participating in the Mobile Pwn2Own contest at the EuSecWest Conference in Amsterdam [Wednesday] demonstrated how to hack Android through a Near Field Communication (NFC) vulnerability. The 0day exploit was developed by four MWR Labs employees (two in South Africa and two in the UK) for a Samsung Galaxy S 3 phone running Android 4.0.4 (Ice Cream Sandwich). Two separate security holes were leveraged to completely take over the device, and download all the data from it."

Also for unbiased view, Pwn2Own is turn based as far as I remember. So any gloating that X device was first to be pwned is meaningless. Teams register before the contest. Team order is chosen randomly (drawing straws, 12 sided dice, whatever). The first team decides which device to be hacked and is given a time period to do so. If they succeed, they get the device. If the first team fails, the second team gets their chance and choice of device. If the first team succeeds, the next team with an unhacked device goes. Some teams register for multiple devices to get a better chance to win something.

So gloating that iOS or Androd was first to be pwned is useless. It doesn't tell anything about ease of hack or relative security of devices. What matters if they were pwned.

So gloating that iOS or Androd was first to be pwned is useless. It doesn't tell anything about ease of hack or relative security of devices. What matters if they were pwned.

What matters is how easily and how quickly (in terms of "go to pwned") they were pwned.

A web browser vulnerability concerns me more than a NFC vulnerability where an attacker has to upload a malicious file. A web browser vulnerability can get you anywhere, you just have to navigate to a site with the malicious code. With an the NFC vulnerability, you have to have your phone centimetres from mine.

From the article about the IOS vulnerability

The security researchers used a malicious webpage to send the iPhone 4Sâ(TM) address book, browsing history, photos, and videos to a server of their choice. It was a drive-by download attack, meaning the user just has to go to the website,

At the same event, they also hacked iOS6. Just to give an unbiased view...

Actually you seem a little misleading given that the iPhones don't have NFC. I think the true subject of the article is NFC not Android. The fact that iOS and Android can get hacked by a malicious webpage seems a bit off topic.

Android and Samsung are mentioned prominently only to get people's attention.

The idea being that it's ok to have an insecure wireless interface on your smartphone as long as you don't have to be *too* close to it for it to work?

NFC stations are not usually on other people, they're in stores and random other places that entice you to use it. A hacked or augmented genuine NFC reader could be made to steal your data, for example.

It is indeed. The difference is your average Joe is fairly likely to know now that he shouldn't click on a link from an unknown address, or his email AV will have sanitized it first. Even if he keeps NFC turned off most of the time (which is not the default) he'll still have to turn it on to, for example, pay for something, and I think that's when it will be most dangerous.

Just offer a public charging station for the phones - lots of people will willingly set their phone within the requisite distance for NFC, no questions asked - even at DefCon or BlackHat, where they should know better.

Also, there have been eavesdropping attacks demonstrated that work at a distance of several meters.

you also need to have NFC enabled on your Galaxy for this to work. NFC is enabled by default, sure. But it can be disabled easily. I also find myself living happily without NFC, but not without tethering, which I use daily during my bus commute.

So my point is that both vulnerabilities suck, and which one sucks the most depends solely on your use-case. There is no point in saying that one device is more secure than the other, both Apple and Google seem to suck big time here. You should not store any sensitive data on your phone.

The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.

They chose to use NFC for the novelty effect. This could just as easily have been done via a malicious website.

Yes both vulnerabilities suck, but they are not equal. For instance, the iOS attack allowed the stealing of contacts, pictures, video, and browsing history. Things that are supposed to be protected in iOS, but in this case weren't sufficiently so. The Android attack allowed the execution of arbitrary code. These two things are not the

The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.

Yes, you do. What you are describing is a different way to accomplish the attack. As an end user, I don't care if the underlying exploit is similar, I only care about how I can be affected by it. This leads to the next point.

They chose to use NFC for the novelty effect.

No, they've chosen NFC because now more phones have it, but mostly because it allows accomplishing the attack without any user intervention at all. People could avoid getting hacked from visiting malicious websites, simply by limiting themselves to trusted sites. Most people only freque

With this Galaxy 3 NFC hack, a stranger could do it sitting next to you on the bus.

No, they'd have to be sitting next to me on the bus AND physically touch my phone with another device long enough to trigger NFC AND I have to have NFC enabled AND keep the devices in physical contact long enough for the download to complete OR hope that I have an active data connection AND the right web browser set as my default so their specially crafted web page loads to root my device...Except that (since I have like six web browsers installed) it requires me to interact with the phone to pick the web browser to open the page... A lot more difficult to arrange than "sitting next to someone".

Also, the ASLR implementation is known to be incomplete on ICS. It's apparently fully fixed on Jelly Bean, so this hack shouldn't be possible on the S3 in a couple months, when the update is rolled out. Likewise, all of the Nexus NFC devices have been updated to Jelly Bean, so they're secure.

Yeah, it's sad that the hack was possible, but it was due to flaws in the OS, not due to problems with NFC, and only under a very contrived set of circumstances...

1) Average users don't install several browsers.2) On a subway or any other crowded enviroment, it's not hard to stay that close to someone for plenty of time.3) "Rolled in a few months" can also be read as "All S3's will be vulnerable for several more months".4) Average users don't change the defaults, including disabling the NFC.

If my phone is in my pocket screen-out, it's going to be nearly impossible to establish an NFC connection in a crowded subway. The phone itself (plus the battery... on my phone, the NFC antenna is actually in the battery, so that it can be close to the back surface) is a pretty good shield.

To give the unbiased view, a hack via website is bad, but one via NFC seems a lot worse (although one hopes you would be suspicious when a stranger starts holding your android up to his; its not exactly "stealthy").

Worse? People visit a dozen websites everyday, but how often do they bump phones with somebody else?

More than that, to prevent NFC hack you just have to flip it off, but to prevent hack via rogue ad iframe... well, if it was Android, you could just block the ads, for example, even with hosts file, or use a different browser, but on iOS you're SoL.

Presumably only when you are outside Apple store lines mocking Apple users? That judging from the short historical documentary I watched. That's just the time an Apple fan might strike with a bump attack though.

to prevent hack via rogue ad iframe...

You have to wait a week or so for the next update, which 90% of the users will get.

An Android user could respond in the same way to make the android marketplace malware argument non sequitur. Dismissing a browser flaw on the basis that you don't visit malicious sites is obviously pretty silly.

I for one keep my device close, and only leave my phone lying under my car's seat or at home. (For extended periods of time) It doesn't take a security researcher to get my data if they could get close enough for NFC. NFC's real working range is less than 2 centimeters. (You might get lucky beyond 2, but you see what I mean)
TFA states that the exploit can also be delivered with more conventional means, so I see no purpose for this article except to cause a panic about NFC. Pretty shameful. And people wond

To give the unbiased view, a hack via website is bad, but one via NFC seems a lot worse (although one hopes you would be suspicious when a stranger starts holding your android up to his; its not exactly "stealthy").

To give a perspective from security, a hack via a web browser is worse because it's not proximity dependent and cant be switched off. An attack via NFC requires your attacker to be physically close and NFC can be turned off.

What isn't clear from the article is if this is a vulnerability in Android or in the S-Beam application used for NFC file transfers on the SGS3. But the article stated the attack is initiated by uploading a malicious file, so there are three really huge hurdles to this attack.

"The security researchers used a malicious webpage to send the iPhone 4S’ address book, browsing history, photos, and videos to a server of their choice. It was a drive-by download attack, meaning the user just has to go to the website, but doesn’t have to click (err, tap) on anything to have their data stolen. Furthermore, the site does not crash the browser, so the user is oblivious to losing their data."

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.Has it not been the case for a very long time that if you lose your handset that someone can use it, NFC or no NFC? Oh, and they need to trigger the exploit 185 times before it worked. I think we are still reasonably safe.

The Hacks just prove that there is a rush to implement new technology without considering the security implications of the tech.

This is just history repeating itself. Every company wants to be the first to announce this brand new, 'cool' feature, but none will wait for the 'geeks' to test it for security issues.

The irksome thing is that, while NFC is mildly novel in terms of the RF tricks(supporting both active/passive RFID-type use cases and short-range active/active ones), and I could see there being some teething pains on that side, these attacks are on NFC as an external data bus that wasn't attended to properly... Some sort of 'specially crafted responses cause hard lockup on $FOOCORP NFIC123 chips with firmware 1.0A' attack would be bad; but more or less par for the course. A more generic 'Hi guys! We added another wireless interface to your phone that happily talks to anything nearby by default, and even automatically executes certain local commands based on what it hears, that's cool, right?" mistake is... unimpressive.

NFC may be new; but the fact that an easily accessible external bus would be an attack vector, against which you should be on your guard, sure isn't. It's less clunky that having some 80's 25-pin RS-232 port on the back of your phone; but it's conceptually pretty similar.

I think that is pretty key here, 185 times at the range of less than and inch or so is basically someone sitting there next to you pretty much touching you for 5 minutes. Obviously this is something that needs to be fixed but I'll hold off on my panic just yet. Even if it worked on the first try someone would have to first identify you as having a vulnerable phone, and where you have if (ie which pocket, etc) then get so close as to be practically touching you and then they have to hope that you have nfc enabled. This isn't some sort of thing you can do just casually walking down the street. It might be an issue for a particular person being targeted but not very likely for a random attack.

So that assumption here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.
2) The two phones are perfectly at the same height (presumably in a pocket).
3) The strangers phone is vulnerable.
4) They have NFC enabled.
5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).
6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.

All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).

1) No challenge there.2) Try a few times, you're bound to have luck sooner or later - pocket heights don't vary that much.3/4) It's the default, and what most average users will have.5) Just a few seconds will do.6) The attacker can run anything on the target phone. I expect that whatever he runs would steal the data through other means, and not NFC (ie: email? remote server?)

Missed the part about walking down the street, ok so what other anonymous situations do you see? On the bus? Or are we talking about pickpockets? I can see this as an issue for non-anonymous situations (I know that guy and his phone is vulnerable) but for random situations I can't see a lot that would be overly successful. Perhaps you can help me see some of these situations instead of just cussing at me and calling me names?

One, you would need to have NFC enabled, which people may do, but at least I never do by default.

What ARE the uses for NFC right now. I know google wallet works for the galaxy nexus and a few phones by sprint, and ISIS hasn't come out yet, but what are people actually doing with it besides hacking phones and thinking about how at some point in the future, they'll be able to buy coffee with their phone?

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.

I'm guessing it's a bigger deal to those who RTFA and see that this flaw can also be exploited by web and email; they just used NFC because it was novel. But true, it's not a big deal to people who like to complain but hate to be informed.

I'm saddened that so many of these people also choose to vote. Perhaps a little quiz at the polls: "Did Obama say that business owners didn't build their own businesses? Did Romney say that he wants to fire people? Did you ever, for more than 1.3 seconds, have a doubt

I am not totally sure why these handset hacks are always such big news. What are the chances that this can happen to a normal person? One, you would need to have NFC enabled, which people may do, but at least I never do by default. Two, you need physical access to the handset.Has it not been the case for a very long time that if you lose your handset that someone can use it, NFC or no NFC? Oh, and they need to trigger the exploit 185 times before it worked. I think we are still reasonably safe.

The point is if you're actually using NFC the very device you're rubbing your phone against can run code on it, install software, whatever, without you actually noticing anything.

Yes, if you're not using NFC you're safe.

For establishing NFC this is very bad news. It's hardly used anywhere and can already take over your phone if you use it.

Great, and how long do you think it will be until all of them are upgraded to the "current version"? a year? 2 years? Never is my guess.

I would say get a Nexus were it not for the tarnishing given the line by the Verizon debacle so I'll just say get a Nexus with GSM. And if the Galaxy Nexus isn't your speed then wait just a couple of months until Google releases the planned multiple simultaneous Nexus lines. As far as patching and new versions of the operating system go, Google is updating Android and releasing security fixes responsibly but it is still up to the OEMs to actually release for their individual handsets. The formula works t

Yup. For a Nexus device you will probably get security updates for about 1.5 years from the date that the device was FIRST announced (ie passed out at IO or whatever). For any other device you probably won't ever get an update, unless somebody manages to totally own the thing will it is still being advertised on TV.

If you care about updates on Android don't ever buy anything but a Nexus device, and don't buy the Nexus device unless it is no more than a few months old. I'd say in a few months the Nexus 7

Given the short range and low bandwidth (424 kilobits/s) of NFC technology, this is more of an esoteric attack than a practical one. I think I'd notice someone shadowing me with a hand at my pocket to connect to my Nexus S via its NFC chip and pull data from it...Still, it's a show of force (and vulnerabilities).

The more worrisome thing is probably that NFC is built in in the hope that swiping it all over the place against untrusted devices will become a normal behavior(sort of the way that attacks against the USB charge/data port are wildly impractical, until random charging kiosks start popping up in airports and all over the place, at which point behavioral protection goes out the window, and a bunch of systems intended only to connect to your home PC start getting shoved into god-knows-what...). Sure, as an attack to execute against the phone in your pocket, it is only marginally more practical than making a stab for the USB port; but if the happy-magic-future-of-even-more-middlemen-and-fees comes to pass, you'll see anywhere between several and dozens of readers a day getting a chance to try whatever they want when you shove your phone onto the pad(plus, if ATMs and mag stripe skimming are any indication, it will be about 20 minutes before somebody comes out with a nice little stick-on thin-circuit-in-rugged-sticker NFC 'skimmer' that can be planted on top of legitimate NFC pads and will do its best to MitM legitimate conversations or attack devices while they converse with the genuine NFC pad and log the results).

I posted this above but here's what I see (maybe I'm missing something so help me out).
So that assumption of danger here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.
2) The two phones are perfectly at the same height (presumably in a pocket).
3) The strangers phone is vulnerable.
4) They have NFC enabled.
5) They could hold the phones in contact for the about of time necessary to transfer

I posted this above but here's what I see (maybe I'm missing something so help me out).

So that assumption of danger here is what? Someone walks down the street bumping into random strangers repeatedly hoping that:

1) The bump into the side where the strangers phone was being held.

2) The two phones are perfectly at the same height (presumably in a pocket).

3) The strangers phone is vulnerable.

4) They have NFC enabled.

5) They could hold the phones in contact for the about of time necessary to transfer both an overloaded filed (presumably exceeded a buffer limit) and THEN also transfer the app compromised app that allows the actual hack to work (over a connection with a maximum bandwidth of a few hundred kbits/s).

6) Then after the hack succeeded they remained in contact long enough for the data from the strangers phone to be transferred back to the hackers phone.

All with anyone noticing? That's all assuming they fix whatever issue was causing it to need to be run 185 times before it finally worked? Assuming those 185 times were the incremental transfers of all the data needed? Again I'm still not scared. And this is fixed in Jelly bean (which my S3 is running...doom on you close talking random guy on the street thinking you finally found someone with an S3 to stand uncomfortably close to!).

All ya gotta do is knock the stranger out. This just helps hackers not physically steal phones. Because stealing phones is wrong.:>

Someone discusses an NFC hack to root and steal data off Android and half the posts are "Apple isn't secure either!"

Focus people! Slashdot is supposed to be the home of Linux and Open Source and über hacks! Why isn't anyone deceminating how this hack works and posting some kind of work-around that isn't just "Don't use NFC" (a feature which Apple gets derided for not having)?

Remember, a fix isn't "Don't use NFC and switch to another browser." Let's assume a user *likes* NFC, and *likes* his web browser as it is. Lets *fix* the problem here. Any thoughts or conjecture?

Well the 5% who have a phone with NFC and Android ICS are in trouble huh? I wasn't saying that the discussion isn't interesting I'm just saying that the OP's comment that we have to focus on finding a solution isn't really relevant since it's already fixed in the OS and NFC can be disabled if you haven't been updated.

I was just being facetious - I admit this issue isn't as big as the story is making out (although any 0 day exploit is serious). I was just bringing up a counter point to the claim that the issue didn't matter because Jelly Bean fixes it, when only a couple of weeks ago slashdot ran a story about how the bulk of Android users are at least one version behind, and in some cases stuck there for good (unless they root their phone).

Samsung has incredible hardware. The Galaxy series of phones have all been quite remarkable. Their OLED technology puts out color gamut that makes Plasma TVs look like they were painted with pastel watercolors.

Their software has always blown. Every tried to use GPS on a samsung phone? How about USB mass storage mode? How about SVoice? How about waiting 2 years for ICS to come out on a device? How about USB Host mode on CDMA models? List goes on... They cut so many corners on software to get it out the do

Samsung has incredible hardware. The Galaxy series of phones have all been quite remarkable. Their OLED technology puts out color gamut that makes Plasma TVs look like they were painted with pastel watercolors.

There have been reports about problems with the WiFi on the S3. Also the review for the hardware have been favorable except that several reviewers commented that the display on the S3 is noticeably dimmer than the S2 and competing phones (CNET has one such review).

What I've never understood is the non-user replaceable battery with (now almost all) Apple products. Why create a disposable anything at that price? And if its not disposable, why do people sign up to be stuck taking the device (laptop/phone) to the Apple Store so they can overcharge labor and materials?

Regardless of how great the phone may be (or laptop for that matter.) If I can't change the battery myself, I'm not buying it. That holds true for any device.... There's no need for that shit THIS far int

What I've never understood is the non-user replaceable battery with (now almost all) Apple products.

To be fair. I'm using the same removable battery that came with my Android phone. My last Android phone that I upgraded from still has its original battery. I haven't purchased a replacement battery for either of my smartphones. I may have been lucky, but I have gone over 2 years of heavy use on my current phone (knock on wood).

Why create a disposable anything at that price? And if its not disposable, why d

The battery is replaceable, so I think the disposable comment is hyperbole.

I wasn't the one to coin that particular phrase, actually. I read it in an editorial from some tech website... it got me to thinking... soldered RAM, sealed cases, no (easily) removable battery.... it's becoming a commodity in the Appleverse. I believe the article made a valid point, and when you start considering the technical background of Apple's stereotypical customer, it doesn't seem so far-fetched. I don't think it'll come t

How is it possible at this age in computer development that we STILL design shit with giant holes in it? I honestly do not understand why it is so hard to make a robust and secure system. Is it because we demand so many features that they cant look at everything? How do you design a program that cannot be exploited? Why is it so very hard?

Cool. A security exploit was found and now it can be fixed. A rational person would go, I'll just disable NFC and be okay.

This being slashdot, we'll have more than our fair share of people insisting that this proves that Android is somehow inferior than their favorite brand of OS. This will in turn lead to Android fans pointing out how the other OS was also hacked. The next thing you know, we have an all out fanboy war on the comments. It's as if Slashdot editors are planning on this.

If that's the case, someone is probably already making a root-access-giving program that works through phone-to-phone NFC as we speak.Although... transmission through intimate contact? That sounds awfully like an STD...